Cisco has implemented enhanced security features that substantially diminish the impact of brute-force and password spray attacks on its ASA and Firepower Threat Defense (FTD) systems, thereby safeguarding networks from potential breaches while concurrently optimizing resource utilization.
Password spray attacks and brute-force assaults share a common goal: attempting to gain unauthorized access to online accounts through guesswork, with the former targeting a limited set of common passwords and the latter relying on sheer computational power.
Despite the effectiveness of password management strategies, attackers may employ password spraying tactics to bypass security measures by simultaneously attempting to access multiple accounts using the same login credentials. While brute-force attacks typically focus on a single account with various password attempts in rapid succession.
In April, Cisco revealed that threat actors had exploited vulnerabilities in numerous network devices, including those manufactured by themselves as well as other major brands such as Checkpoint, Fortinet, SonicWall, RD Net Companies, Mikrotik, Draytek, and Ubiquiti.
Cisco cautions that successful attacks could lead to unauthorized access, account lockouts, and denial-of-service situations, leveraging the targeted configuration settings.
The successful attacks, identified by CVE-2024-20481, depleted resources on Cisco ASA and FTD devices upon being targeted by a significant proportion of these attacks.
Effective Immediate Countermeasures Against Sophisticated VPN Brute-Force Attacks
Following the April assaults, Cisco responded by introducing measures that significantly curtail the impact of brute-force and password-spray attacks.
While certain software versions had access to these features as early as June, it wasn’t until this month that they became universally available across all versions.
Regrettably, many Cisco administrators were oblivious to the introduction of these innovative features. Despite this, reports from those who had implemented the feature indicated significant success in combating VPN brute-force attacks when the relevant settings were enabled.
The team’s innovative approach led to a remarkable decrease in failures from 500K per hour to just 170. Here’s the improved text: “Over the final evening!”
These innovative options form a crucial component of the risk detection service, effectively preventing a wide range of potential attacks.
- To protect against brute-force attacks on distant VPN companies.
- The initial attack vector involves an attacker initiating a series of repeated attempts to establish a connection with a distant Virtual Private Network (VPN) gateway from a single host.
- . When attackers try to exploit vulnerabilities by hijacking specific built-in tunnel protocols designed exclusively for internal device functionality. Authentic endpoints should never attempt to connect with these tunnel services.
According to Cisco, initial attacks on shoppers frequently aim to exhaust resources, potentially leaving devices vulnerable to denial-of-service (DoS) scenarios.
To leverage these advanced features, ensure your device is running a supported version of Cisco ASA or FTD, as outlined below.
- -> supported from and newer variations inside this particular practice.
- -> supported from and newer variations inside this particular practice.
- -> supported from and newer variations inside this particular practice.
- -> supported from and newer variations inside this particular practice.
- -> supported from and newer variations inside this particular practice.
- -> supported from and any newer variations.
- -> supported from and newer variations inside this particular practice.
- -> supported from and newer model inside this particular practice.
- -> supported from and newer model inside this particular practice.
- -> supported from and any newer variations.
When utilizing an assistant software program model, follow these guidelines to enable the latest features.
To prevent unauthorised access attempts by malicious entities seeking to connect with pre-established tunnels that are not intended for frequent linking, execute the following command:
threat-detection service invalid-vpn-access To prevent persistent attempts from the same IP address to trigger an authentication request to the RAVPN service without ever completing it, you would employ this command.
threat-detection service remote-access-client-initiations hold-down <minutes> threshold <depend> To prevent repeated authentication requests from the same IP address, you would utilize this command:
threat-detection service remote-access-authentication hold-down <minutes> threshold <depend> The meeting notes’ clarity and concision depend on precise definitions.
- Specified the time window within which subsequent connections are considered part of a single attempt to establish a connection following the final initiation try. When a series of consecutive attempts to establish connections reaches or exceeds the predefined threshold within a specified timeframe, the attacker’s IPv4 address is blocked. You can set this timer for a duration between 1 minute and 24 hours (1440 minutes).
- Does the necessity for multiple attempts within a hold-down interval trigger a shun? The threshold for setting a boundary can range from five to one hundred.
If an IP address makes an excessive number of connection or authentication requests within a specified timeframe, the Cisco ASA and FTD software may either block or block permanently until manually removed using the following command.
no show source ip [vlan vlan_id] A Cisco ASA administrator shared a script designed to automatically purge all blocked IP addresses every seven days.
A notable illustration of a comprehensive configuration shared by Cisco, encompassing all three possibilities, is:
Threat detection services: A Reddit administrator noted that enabling shopper-initiation protections inadvertently triggered some false positives, which improved significantly upon reverting back to the default settings of both.
When asked about potential drawbacks of using these options with RAVPN enabled, the representative at BleepingComputer mentioned that there could be a possibility of an efficiency impact.
“While there is no expected drawback, enabling new features based on existing device configurations and traffic loads may still have an efficiency impact.”
To protect your VPN accounts from brute-force attacks by malicious actors, consider implementing measures to deter such attempts. Compromised VPN credentials can have devastating consequences if left unaddressed?
